ModSecurity version 2.9.1-rc1 announcement
Felipe Costa <FCosta <at> trustwave.com>
2016-02-03 17:17:12 GMT
-----BEGIN PGP SIGNED MESSAGE-----
It is a pleasure to announce the first release candidate for ModSecurity
version 2.9.1. The version 2.9.1-RC1 contains fixes and new features.
The new features list includes audit logs in JSON format.
I would like to thank you all, that participate in the construction of
this release. A special thanks to the ones who sent patches and the ones
who participated on the community meetings, which helped to increase the
quality of our releases. Thank you.
The documentation of the new features is already available on our wiki
The source and binaries (and the respective hashes) are available at:
The most important changes are listed bellow:
* New features
- Added support to generate audit logs in JSON format.
[Issue #914, #897, #656 - Robert Paprocki]
- Extended Lua support to include version 5.3
[Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team]
- mlogc: Allows user to choose between TLS versions (TLSProtocol option
[Issue #881 - Ishwor Gurung]
- Allows mod_proxy's "nocanon" behavior to be specified in proxy actions.
[Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team]
* Bug fixes
- Creating AuditLog serial file (or parallel index) respecting the
permission configured with SecAuditLogFileMode. Previously, it was
used only to save the transactions while in parallel mode.
[Issue #852 - <at> littlecho and ModSecurity team]
- Checking for hashing injection response, to report in case of failure.
[Issue #1041 - ModSecurity team]
- Stop buffering when the request is larger than SecRequestBodyLimit
in ProcessPartial mode
[Issue #709, #705, #728 - Justin Gerace and ModSecurity team]
- Refactoring conditional #if/#defs directives.
[Issue #996 - Wesley M and ModSecurity team]
- mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir
files with Apache 2.4
[Issue #775 - Elia Pinto]
- Understands IIS 10 as compatible on Windows installer.
[Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team]
- Fix apache logging limitation by using correct Apache call.
[Issue #840 - Christian Folini]
- Fix apr_crypto.h check on 32-bit Linux platform
[Issue #882, #883 - Kurt Newman]
- Fix variable resolution duration (Content of the DURATION variable).
[Issue #662 - Andrew Elble]
- Fix crash while adding empty keys to persistent collections.
[Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team]
- Remove misguided call to srand()
[Issues #778, #781 and #836 - Michael Bunk, <at> gilperon]
- Fix compilation problem while ssdeep is installed in non-standard
[Issue #872 - Kurt Newman]
- Fix invalid storage reference by apr_psprintf at msc_crypt.c
[Issue #609 - Jeff Trawick]
* Known issues
- Instabilities of nginx add-on are still expected. Please use the "nginx
refactoring" branch and stay tuned for the ModSecurity version 3.
Felipe "Zimmerle" Costa
Lead Developer for ModSecurity
Security Researcher, SpiderLabs
Trustwave | SMART SECURITY ON DEMAND
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - https://gpgtools.org
-----END PGP SIGNATURE-----
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is strictly prohibited. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: